UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ALG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).


Overview

Finding ID Version Rule ID IA Controls Severity
V-54641 SRG-NET-000202-ALG-000124 SV-68887r1_rule Medium
Description
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed. This requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.
STIG Date
Application Layer Gateway Security Requirements Guide 2014-11-03

Details

Check Text ( C-55261r1_chk )
Verify the ALG denies network communications traffic by default and allows network communications traffic by exception on both inbound and outbound interfaces.

If the ALG does not deny network communications traffic by default and allow network communications traffic by exception on both inbound and outbound interfaces, this is a finding.
Fix Text (F-59497r1_fix)
Configure the ALG to deny network communications traffic by default and allow network communications traffic by exception on both inbound and outbound interfaces.